+ Post New Thread
Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 71
Internet Related/Filtering/Firewall Thread, Need a Dansguardian / Squid configuration expert in Technical; Hehe those lines are from my script.... I just had more children to make sure there were plenty of helper ...
  1. #31

    Join Date
    Dec 2005
    Posts
    535
    Thank Post
    34
    Thanked 89 Times in 79 Posts
    Rep Power
    39
    Hehe those lines are from my script.... I just had more children to make sure there were plenty of helper processes to auth with...

    Probably way beyond required but the system has plenty of resources and I wanted to see if it helped any

  2. #32

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by dhicks View Post
    I was told SchoolGuardian can’t handle multiple internet connections, we would need Advanced Firewall to do that.
    Just to check I'm on the right track here: We have a nice, shiny new copy of School Guardian with all updates installed. It seems to be able to do failover between two ADSL connections, but it can't load-balance between them. To do that, I'm aiming for a Debian install with IPTables rules as described here:

    How To: Load Balancing & Failover With Dual/ Multi WAN / ADSL / Cable Connections on Linux

    --
    David Hicks

  3. #33
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Having not been able to get back onto the squid install til today from last Friday I'm happy to report that I now have Squid running and authenticating to the AD usernames, IE transparently and other browsers requiring a username and password.

    Achieved with thanks to a member of Edugeek for his support and invaluable advice last Friday and Today + copious quantities of Google! (and tea)

    Now I have to get DG installed and configured but that's a task for tomorrow.

  4. #34


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 849 Times in 671 Posts
    Rep Power
    196
    David - It may be that only advanced firewall can do that (I can't honestly remember and I don't have SG to hand) - ring your account manager, I am sure they'll swap it out for you!

  5. #35
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Right

    I'm moving along slowly.

    Squid and DG are working using ntlm_auth against AD users and this is all fine.

    I have two problems to resolve though:

    1) When I reboot the server clients won't authenticate. I have to stop squid, run winbind-ch.sh and then restart squid, it then works fine until the next reboot when I have to rerun the preceding. Winbind-ch.sh is in rc2.d and I've tried playing with the run times to no avail. Any ideas?

    2) How do I get DG to recognise filtergroups? I've set up two groups, one filtered and one not and I put my AD username in the filtergroups list but clients won't read it. Is there anything else I need to do to make groups work?

  6. #36

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by tom_newton View Post
    ring your account manager, I am sure they'll swap it out for you!
    Well, yes, but that would cost us more money. I'm setting up another machine to act as a load-balancing router for the two ADSL connections - I'm currently looking at using ZeroShell, that seems to do what we want, unless anyone can suggest a better solution?

    --
    David Hicks

  7. #37
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Right

    I'm moving along slowly.

    Squid and DG are working using ntlm_auth against AD users and this is all fine.

    I have two problems to resolve though:

    1) When I reboot the server clients won't authenticate. I have to stop squid, run winbind-ch.sh and then restart squid, it then works fine until the next reboot when I have to rerun the preceding. Winbind-ch.sh is in rc2.d and I've tried playing with the run times to no avail. Any ideas?

    2) How do I get DG to recognise filtergroups? I've set up two groups, one filtered and one not and I put my AD username in the filtergroups list but clients won't read it. Is there anything else I need to do to make groups work?

  8. #38


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    1. Yep thats a problem with Ubuntu. You need to add the script to change permissions as a startup cron job. Debian doesnt have that problem.

    2. Did you download my zip file i PMed you with? Its all in there.

    Basically it looks like this



    filtergroupslist
    Code:
    user1=filter1
    user2=filter1
    user3=filter2


    dansguardian.conf
    Code:
    ...
    filtergroups = 4	
    filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
    ...


    dansguardianf1.conf
    Code:
    ...
    groupname = 'Unauthenticated/Banned'
    ...



    dansguardianf2.conf
    Code:
    ...
    groupname = 'Pupils'
    
    # Content filtering files location
    bannedphraselist = '/etc/dansguardian/lists/groups/pupils/bannedphraselist'
    weightedphraselist = '/etc/dansguardian/lists/groups/pupils/weightedphraselist'
    exceptionphraselist = '/etc/dansguardian/lists/groups/pupils/exceptionphraselist'
    bannedsitelist = '/etc/dansguardian/lists/groups/pupils/bannedsitelist'
    greysitelist = '/etc/dansguardian/lists/groups/pupils/greysitelist'
    exceptionsitelist = '/etc/dansguardian/lists/groups/pupils/exceptionsitelist'
    bannedurllist = '/etc/dansguardian/lists/groups/pupils/bannedurllist'
    greyurllist = '/etc/dansguardian/lists/groups/pupils/greyurllist'
    etc etc
    ...



    dansguardianf3.conf
    Code:
    ...
    groupname = 'Staff'
    ...

  9. #39

    Join Date
    Dec 2005
    Posts
    535
    Thank Post
    34
    Thanked 89 Times in 79 Posts
    Rep Power
    39
    1. Yep thats a problem with Ubuntu. You need to add the script to change permissions as a startup cron job. Debian doesnt have that problem.
    Damn might have to take a look at debian the next time I'm building a squid / dg box....

    That permissions thing always irratates me!

  10. #40
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Quote Originally Posted by j17sparky View Post
    1. Yep thats a problem with Ubuntu. You need to add the script to change permissions as a startup cron job. Debian doesnt have that problem.

    2. Did you download my zip file i PMed you with? Its all in there.

    Basically it looks like this



    filtergroupslist
    Code:
    user1=filter1
    user2=filter1
    user3=filter2


    dansguardian.conf
    Code:
    ...
    filtergroups = 4	
    filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
    ...


    dansguardianf1.conf
    Code:
    ...
    groupname = 'Unauthenticated/Banned'
    ...



    dansguardianf2.conf
    Code:
    ...
    groupname = 'Pupils'
    
    # Content filtering files location
    bannedphraselist = '/etc/dansguardian/lists/groups/pupils/bannedphraselist'
    weightedphraselist = '/etc/dansguardian/lists/groups/pupils/weightedphraselist'
    exceptionphraselist = '/etc/dansguardian/lists/groups/pupils/exceptionphraselist'
    bannedsitelist = '/etc/dansguardian/lists/groups/pupils/bannedsitelist'
    greysitelist = '/etc/dansguardian/lists/groups/pupils/greysitelist'
    exceptionsitelist = '/etc/dansguardian/lists/groups/pupils/exceptionsitelist'
    bannedurllist = '/etc/dansguardian/lists/groups/pupils/bannedurllist'
    greyurllist = '/etc/dansguardian/lists/groups/pupils/greyurllist'
    etc etc
    ...



    dansguardianf3.conf
    Code:
    ...
    groupname = 'Staff'
    ...
    I did all that but DG seems to be ignoring it. Everyone is defaulting to group 1

  11. #41
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Should the originator's username be logged in the DG access log?

  12. #42


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Yep, assuming you have logging turned on.

    Authentication deffo working? This guide is for Suse, but it shows you everything you need to know to get authentication working. http://en.opensuse.org/Setting_up_Sq...sGuardian_Sarg
    Last edited by j17sparky; 16th April 2010 at 02:09 PM.

  13. #43
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    This is odd now. Everything appears OK according to all the guides I've read, all wbinfo, kinit, etc commands give the right responses but no usernames are being logged. Also I've just tried browsing from a non-domain pc and it hasn't asked for authentication.

  14. #44
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    If I point the browser at the squid port then the request is authenticated. If I point it at the DG port it isn't authenticated?

  15. #45
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Had enough for now. Look again next week.

    DG conf file is set to listen on 8080 and the proxy port is set to 3128.

    Squid.conf is set to use nltm_auth.

    All wbinfo checks and kinit respond OK.

    If the browser is pointed at 3128 then authentication is requested but if pointed at 8080 then it appears not to be and filtering for all users takes place as per group 1, neither are usernames logged in either the squid or DG access logs.

SHARE:
+ Post New Thread
Page 3 of 5 FirstFirst 12345 LastLast

Similar Threads

  1. Replies: 10
    Last Post: 11th May 2010, 10:13 AM
  2. need your expert opinion
    By lionsl2005 in forum AV and Multimedia Related
    Replies: 11
    Last Post: 14th December 2009, 02:53 PM
  3. Squid configuration problem
    By Cragzman in forum *nix
    Replies: 3
    Last Post: 22nd October 2008, 02:59 PM
  4. ntlm_auth | Dansguardian | Squid
    By ahuxham in forum *nix
    Replies: 11
    Last Post: 24th July 2008, 07:24 PM
  5. DansGuardian without local Squid
    By NetworkGeezer in forum *nix
    Replies: 2
    Last Post: 13th February 2007, 02:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •